3 June 2019

STANAG-4285 1200bps/L in async mode

Interesting recording of STANAG-4285 1200bps/L blocks which transport 8N1 framed streams (async ops).

Fig. 1
After demodulation (I preferred to use my Harris RF-5710A modem), each block consists of 476 bytes of data and share the same header (Fig. 2):
00 52 00 00 A4 3A 29 21 5C F0 01 4C 00 00 00 00 00 00 00 F2 40 19 77 E6 ...
don't know what the "signature" could be (encryption, compression, protocol encapsulation...), anyway the messages are not sent in clear-text.

Fig. 1
Recording picked up on 7559.0 KHz/USB using http://swloi33.proxy.kiwisdr.com:8073/ 


28 May 2019

KW-46/KIV-7M secured fleet broadcast using the GA-205 multiplex (Australian RAN)

This is a very interesting STANAG-4285 signal spotted on May 24 on 6378.0 KHz USB thanks to the KiwiSDR owned by VK6QS in Collie, Western Australia. About the 6378 KHz, some old WUN logs report the callsign VZD800, at that time attribuited to the Royal Australian Navy (RAN). On my side, on that same frequency I spotted the Australian MHFCS net operating in ISB/FSK: so, as also confirmed by the direction finding, the source is definitely in Australia. 
In my opinion, I believe this is a KW-46 (or KIV-7M) secured multichannel fleet broadcast originated by the GA-205 TDM [1]: a 12-channel time division multiplexer that was just deployed at RAN by DRS Technologies (Fig. 1).

Fig. 1

Now, the way I came up to this conclusion.
The HF waveform is STANAG-4285, here used in the usual "600bps/Long" sub-mode (Fig. 1): waveform that is easily recognizable and then demodulable by almost all software decoders. Given the evidence of regular patterns, I reshaped the demodulated stream to a 12-bit format, just as the number of the input ports of the GA-205 TDM. After reshaping, you can clearly see that the 12 input channels transport exactly the same data (Fig. 2).

Then I exctracted a single payload (i.e. a column of the stream), reshaped it to a 7-bit frames format and tested it for LFSR delimitation: as expected, the KW-46 "sign" was detected (Fig. 3). Indeed, as from STANAG-5065, the "Fibonacci bits" originated by the polynomial x^31+x^3+1 are used by KW-46 cryptographic equipment to provide  synchronization.  

In synchronous mode the TDM works by the muliplexer giving exactly the same time slot to each device connected to it even if one or more devices have nothing to transmit. The data rates of different input devices control the number of the slots: a device may have one slot, other may have two or three according to their data rate. In this case, all the input channels have the same data rate of 600:12=50 Baud, therefore share the same number of slots.  Managing a TDM requires that some control bits (sync, device tagging, ...) be appended to the beginning of each slot, but I did not find such bits in the streams I demodulated: a recording of the initial part of a similar transmission could help.
From what above, in my opinion the heard S4285 transmission is a fleet broadcast consisting of 12 "flat multiplexed" [2] channels that transport the same KW-46/KIV-7M secured payload (real traffic or pseudo-random chars).

Monitoring the 6378.0 KHz frequency, on May 25 I saw that they switched to the ISB mode (Fig. 4), more precisely: LSB for a single channel fleet broadcast and USB for a multi channel (GA-205 TDM) fleet broadcast; both the broadcasts are KW-46 secured and use the same STANAG-4285 600bps/L waveform. Don't know if they carry the same payloads. 
The same STANAG-4285 configuration and broadcast paradigm were also spotted on 7462, 8460.2, 9140, 10368, 10407, and 10847.2 KHz (logged on May, 28): surely there are many other operating frequencies that I do not currently know.

For what concerns the source of the signal, TDoA direction findings indicate the "Naval Communication Station Harold E. Holt" (NCS HEH) which is located 6km north of Exmouth (Fig. 5). COMMSTA HEH is jointly manned by Royal Australian Navy and US Navy Personnel. The High Frequency Transmitter (HFT) site building houses a number of transmitters, many of which are dedicated to point to point communication circuits. These circuits are established with shore facilities and navy surface ships operating within the station's area of communications responsibility.
My friend Eddy Waters (member of Utility DXers Forum) from Australia emailed me: "there seem to be transmitter site changes happen at different times of the day. Sometimes these signals come from Exmouth Western Australia, sometimes from Lyndoch, New South Wales, sometimes from Humpty Doo, Northern Territory. There are more and more frequencies changing over to the ISB STANAG setup that you describe".
Fig. 5

As far as I know, RAN fleet broadcasts come in using the GA-205 in a 6-channels configuration, it's not clear to me the use of 12-channels that - moreover- transport the same payload. I tried to reshape the stream to a 6-bit frames format (and 6-bit multiples)... but the KW-46 synch missed. By the way,  it's interesting to mention the KW-46 secured transmissions (probably also them from RAN) reported here: https://i56578-swl.blogspot.com/.../kw-46-secured-traffic-over-188-110a.html
[1]  https://www.yumpu.com/.../ga-205-time-division-multiplexer
[2] I used the term "flat multiplexed" to mean the fact that no classified multiplexing algorithm seems to be used.

24 May 2019

KG-84, KW-46, ...

In this blog I often use terms like "KG-84", "KW-46", "BID",..., as well as the names of other cryptographic devices, but this does not necessarily mean that those devices are physically used ashore or on aboard of ships! Rather than to the equipments, those names must be understood as referring to the used "algorithms", since - unless few exceptions - many of those devices are now obsolete and no longer used. Actually, the algorithms are emulated by interoperable and more compact devices such as - for example - the KIV-7M Programmable Multi-Channel Encryptor that can be used for communicating with a KIV-7 family device or the older KG-84/BID family of devices.
In general:
KG means Key Generator which could be used with any digital input device;
KI is for data transmission;
KW is the prefix for a Teletype encryption device;
KY stands for a voice encryption device. 

Also note that these products are only used by the US Government, their contractors, and federally sponsored non-US Government activities, in accordance with the International Traffic in Arms Regulations (ITAR), as well as by NATO and by the administrations of some NATO countries.

22 May 2019

THALES HFXL, "wide band link" phase? (tentative)
AngazU, i56578

In our recent THALES HFXL monitorings we noted an initial "leader" burst which is exchanged in each frequency of the channel between the peers, the exchanges occurs after the 2G-ALE phase and just before the traffic starts: in our guess it appears to be the "wide band link", i.e. the third step of the HFXL link establishment procedure.
The used waveform is the same of HFXL-S4539: you may note the presence of the Thales "extented" preamble in Fig. 1

Fig. 1 . the presence of the THALES extened preamble following the S4539 normal preamble
It's interesting to note that after removing the mini-probes, the data blocks symbols show a regular structure of 768 bits (!), i.e. the 256 tribit data symbols of the S4539 framing appear as composed of repeated sequences/data; indeed, such a perfect 768-bit period does not occur in cases where user data such as chat, HTML, FTP, emails,... are sent. The presence of such repetitions is also clearly visible at a glance in the bistream (Fig. 2).

Fig. 2
Another clue in favor of repeated sequences in the data blocks is the ease with which the autocorrelation of 27648 bits is detected (Fig. 3): that's the length of the inteleaver block and just thanks to repeated data that it's possible to mark it. Also, the strong result of the autocorrelation leads to think of the use of Walsh Orthogonal Modulation, although it's not provided in S4539. Indeed, the detection of the interleaver length is facilitated because the last di-bit in any interleaver block is identified by the use of alternate set of Walsh sequences.

Fig. 3 - result from the autocorrelation
AngazU edited a header to eliminate the miniprobes (roughly)  and the resulting ACF is 26.6 ms considering both polarities and 13.3 ms considering only one. This indicates that it could be a walsh code of 32 symbols that is repeated inverted (Fig.4): 64 (32+32) symbols lasting ~26.6ms makes a data rate of 2400 Baud.
But be careful, it's just a speculation! We'll need a good quality recording to demodulate it and to verify it at  bit level.

Fig. 4

From the above, we think that the initial bursts use Walsh modulation and are used as a negotiation phase before the traffic starts: possibly we are facing with the "wide band link" (Fig. 4) that makes use of the "Cognitive Engine" software during the link establishment procedure, taking into account information on MUF, requested SNR, noise level, propagation modes, antenna performances.
As said, the above are only our hypotheses, we do not yet have any confirmation of them. Comments are welcome.

Fig. 4 - HFXL link establishment procedure

18 May 2019

KW-46 secured traffic over 188-110A, prob. US/Australian NCS HEH

These signals were recorded and monitored on 14462.0 KHz/USB thanks the KiwiSDRs at OI33 and OI33SA in Jakarta, Indonesia:

behavior and waveform Transmissions take place mainly during the morning time UTC, probably scheduled from Thursday to Saturday, and consist of very long traffic sessions (
although not continuous, as S4285 broadcasts are) alternated with equally long idling sequences. Several times I went late on the signal and given the lack of preamble re-insertions in the 110A waveform, the acquisition of sync, and the consequent decoding, were impossible. After days of long monitoring I had the chance to record the start of a transmission and then identify the mode, i.e.: 600bps/Long.
Since the absence of any "ALE phase" in the time interval immediately preceding the start of the transmission (Fig. 1), it's difficult say if we're dealing with PtP or broadcast transmissions to staring receivers in standby.

Fig. 1
The analysis of the frame structure (Fig. 2) confirms 110A operations at low datarates: each frame is composed of 40 tribit symbols, or 120 bits, (20 symbols for miniprobe + 20 symbols for data). In low datarate modes, from 150 to 1200 bps, the 480-bit length of the 110A scrambler exactly matches four frames (i.e.: 4 x 120 bits) and so it produces the strong 66.67ms spikes which are visible in the auto-correlation function.

Fig. 2
bitstream analysis The most certainly interesting aspect is the use of KW-46 encryption to secure data transfers (Fig. 3). Usually, the KW-46 crypto device is used in USN/NATO fleet broadcast paired with FSK 50Bd/850 or S4285 modems: it's the first time I see KW-46 secured traffic carried on air by 188-110A.

Fig. 3 - Fibonacci's bits in the demodulated bitstream
source and user As for the signal source, although the TDoA algorithm may be inaccurate due to the few KiwiSDRs in that region, considering the use of KW-46 crypto devices a plausible hypothesis can be the Royal Australian Navy (RAN) Naval Communication Station "Harold E. Holt" at Exmouth (NCS HEH) [1]. Royal Australian Navy is the naval branch of the Australian Defence Force (ADF).

Fig. 4 TDoA result and HEH site

NCS HEH is a joint US/Australian radio relay station comprising three separate main areas: Area A (Register no. 103552), located at Cape Murat, the VLF facility comprises the Very Low Frequency Transmitter, a deep-water pier, the primary Power Plant and a POL Tank Farm; Area B (Register no. 102767) includes Administration and HF Transmission; and Area C (Register no.103554) HF Reception. Areas "B" and "C" facilities are dedicated to point to point communication circuits. These circuits are established with shore facilities and navy surface ships operating within the station's area of communications responsibility.